New “SOAPwn” .NET Vulnerabilities Expose Barracuda, Ivanti and Microsoft Appliances to RCE Attack

New research into legacy .NET Framework SOAP client code has uncovered “SOAPwn,” a class of vulnerabilities. That can be weaponized for remote code execution (RCE) across multiple enterprise products.

Including Barracuda Service Center RMM, Ivanti Endpoint Manager, Umbraco CMS 8, Microsoft PowerShell, and SQL Server Integration Services.

Understanding the SOAPwn Vulnerability Class

Presented by Piotr Bazydlo at Black Hat Europe 2025, SOAPwn centers on how. NET’s SOAP HTTP client proxies handle URLs.

The affected proxy classes (SoapHttpClientProtocol, DiscoveryClientProtocol, and HttpSimpleClientProtocol) inherit from HttpWebClientProtocol.

Which internally uses WebRequest.Create(uri) without enforcing HTTP-only schemes. If an attacker can influence the URL property (directly or via WSDL imports),

The proxy may transparently switch from HTTP to file:// or UNC paths, turning a network SOAP call into a local or remote file write.

This design quirk enables several attack primitives. At the low end, attackers can relay NTLM by directing SOAP traffic to SMB shares.

Product	CVE ID	Vulnerability Type	Attack Vector
Barracuda Service Center RMM	CVE-2025-34392	Pre-authenticated RCE	Malicious WSDL import
Ivanti Endpoint Manager (EPM)	CVE-2025-13659	WSDL-based RCE	Namespace payload injection
Umbraco 8 CMS	Not assigned	Post-authentication RCE	Web service data source manipulation
Microsoft PowerShell	Not assigned	WSDL consumption RCE	WSDL parsing
Microsoft SQL Server Integration Services	Not assigned	WSDL consumption RCE	WSDL parsing

More critically, when combined with attacker-controlled WSDL and SOAP arguments, the same behavior becomes an arbitrary-file-write primitive.

In real-world appliances, researchers used this to inject ASPX or CSHTML webshells or malicious PowerShell scripts into web-accessible paths, resulting in full RCE.

Affected Products and CVE Details

A light review of the standard. NET-based solutions have already surfaced multiple impacted products.

Barracuda Service Center RMM exposed a pre-authenticated SOAP method that dynamically imports WSDL.

Generates a proxy via ServiceDescriptionImporter, compiles it, and invokes attacker-chosen methods with attacker-supplied arguments.

A single crafted SOAP request was enough to write a webshell to disk, now tracked as CVE-2025-34392 and patched in hotfix 2025.1.1.

Ivanti Endpoint Manager was similarly exploitable via CSHTML payloads smuggled through namespaces in malicious WSDL files.

Umbraco 8 CMS allowed authenticated users with Forms permissions to define arbitrary web service data sources pointing to an attacker’s WSDL, again reaching the same vulnerable proxy path.

According to Watchtowr, Microsoft PowerShell and SSIS were also shown to be vulnerable when consuming untrusted WSDL.

Despite the issues arising from core .NET proxy behavior, Microsoft has repeatedly assigned these findings a “DONOTFIX” status at the framework level.

Characterizing them as application-layer problems and updating documentation instead of shipping code changes.

For defenders, the practical guidance is clear: identify and lock down any use of ServiceDescriptionImporter that processes attacker-controlled WSDL.

Audit all usages of SoapHttpClientProtocol, DiscoveryClientProtocol, HttpPostClientProtocol, and HttpGetClientProtocol where the URL property may be influenced by user input.

Given the age and ubiquity of the .NET Framework in enterprise environments, similar SOAP-style bugs are likely to surface in many more in-house and vendor solutions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.